Efficient protection of kernel data structures via object partitioning
1 / 22

Efficient Protection of Kernel Data Structures via Object Partitioning - PowerPoint PPT Presentation

  • Uploaded on

Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Efficient Protection of Kernel Data Structures via Object Partitioning' - zeroun

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Efficient protection of kernel data structures via object partitioning

Efficient Protection of Kernel Data Structures via Object Partitioning

AbhinavSrivastava, Jonathon Giffin

AT&T Labs-Research, HP Fortify

ACSAC 2012

Outline Partitioning

  • Introduction

  • Related Work

  • Sentry System

  • Implementation

  • Evaluation

  • Conclusion

Introduction Partitioning

  • Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list.

  • They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user

  • We present a system called Sentry that creates access control protections for security-critical kernel data.

Related work
Related Work Partitioning

  • Petroni et al. detect process which reachable in scheduler but not in process accounting list.

    • Cannot detect the list of loaded kernel modules, which do not offer multiple views.

  • XFI and BGI guarded write instructions subject to access control policy constraints.

    • Require all kernel drivers and modules to use this system

    • Low performance.

Sentry system
Sentry System Partitioning

  • Page-level Granularity: use hardware’s page read/write protection to enforce access control policy

  • Partitioning: to separate kernel data structure into regionswhich have different access control policies

  • Based on VM: to get full control to hardware page-fault handling and management

Sentry system1
Sentry System Partitioning

Page level granularity
Page-level Granularity Partitioning

  • Old methods

    • Applying policy checking is to check all possible write operation to kernel data Slow performance

    • Protecting a single security-critical member requires whole page to be protected Low memory utility

  • Sentry use structure partitioning and page write protection to apply access control policies

Page level granularity cont
Page-level PartitioningGranularity (Cont.)

  • How page write protection protect the data?

  • Simply using the write flag in page data structure

  • If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event

  • Sentry changes the handling function to add a policy check:

    • If write is valid, then ignore this page fault and perform write operation

    • If write is invalid, then the write operation is denied

Partitioning Partitioning

  • Structures such as task_structand modulecontains a mix of security-critical and not-critical fields

  • Structure Division

  • Structure Alignment

Partitioning structure division
Partitioning - PartitioningStructure Division

  • Split original Objby creating a new data structure insecure_Objcontaining non-critical fields



uid_tuid, euid, suid

uid_tuid, euid, suid

gid_tgid, egid, sgid

gid_tgid, egid, sgid

u64 acct_rss_mem1

structlist_head tasks

u64 acct_vm_mem1

char comm[16]

structlist_head tasks

insecure_task_struct *insecure

void *journal_info


unsigned long personality

unsigned long personality

structaudit_context *audit_context

structaudit_context *audit_context

char comm[16]

void *journal_info

u64 acct_rss_mem1


u64 acct_vm_mem1

Partitioning structure alignment
Partitioning - PartitioningStructure Alignment

  • Add a buffer to original Obj to separate security-critical members and non-critical members away

  • This can be done by using compiler options to insert or remove the alignment buffer

Page Size

struct module

struct module

enummodule_state state

enummodule_state state

structlist_head list

structlist_head list

char name[MODULE_NAME_LEN]

char buffer[BIG_SPACE]

const char *version

const char *srcversion

char name[MODULE_NAME_LEN]


const char *version

const char *srcversion


Policy Partitioning

A valid write operation can be performed by:

  • Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_beginto __init_end

  • Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel

Page creation registration
Page Creation & Registration Partitioning

  • When creating a new instance of protected structure, Objand insecure_Objare put into a page frame separately, and add page write protection on the page containing Obj

  • The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation

Implementation Partitioning

  • Use Linux 2.6 and Xen hypervisor

  • Change task_structand modulestructure using division and alignment respectively

  • Change Linux source code where use those structures into correct variable

    • current->journal_infocurrent->insecure->journal_info

    • Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6

    • This can be done by source-to-source transformation techniques, such as provided by CIL

Implementation cont
Implementation (Cont.) Partitioning

  • Structure Division

    • Apply on task_struct structure only

    • Categorized 28 of 122 members as critical

    • Change structure creation function kmem_cache_allocinto get_free_pagesand kmalloc

  • Structure Alignment

    • Apply on modulestructure only

    • Categorized 2 of 29 members as critical

    • Only a recompilation of the kernel

Implementation cont1
Implementation (Cont.) Partitioning

  • APIs to communicate to hypervisor

    • addPFNtoDB, removePFNfromDB, checkPFNinDB

  • Modify __sh_propagateto make a shadow of memory of guest operating system for monitor

  • Sentry check write operation’s vaildityby the eipregister when sh_page_faultis called, and traverse the stack frame using ebpto get full call trace

Evaluation Partitioning

  • Attack Prevention and Detection

Evaluation cont
Evaluation (Cont.) Partitioning

  • Performance on loading and unloading modules

    • Normal: no kernel memory protection

    • Protected: protection without partitioning

    • Sentry: both memory protection and partitioning

Evaluation cont1
Evaluation (Cont.) Partitioning

  • Performance on file system read/write

  • Memory page utility

    • A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel

Evaluation cont2
Evaluation (Cont.) Partitioning

  • Performance on real world jobs

  • Performance on process data structure

    • 1000 µs = 1 ms

Evaluation cont3
Evaluation (Cont.) Partitioning

  • False Positive Analysis

  • Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel

    • For example, benign modules don’t directly modify run_list, but using enqueue_taskand dequeue_taskto modify this member, and those functions are valid APIs, so the modules can still works fine

  • Our system did not show any false positives and detected all attacks

Conclusion Partitioning

  • We create protected memory regions within the unified kernel data space.

  • We show how to optimize kernel memory space layout for the protection constraints created by our system.

  • We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.